CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory.  The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors. 

Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.

In the U.S., organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.